TP-Link fixes critical RCE bug in popular C5400X gaming router

The TP-Link Archer C5400X Gaming Router is vulnerable to security vulnerabilities that could allow an unauthenticated, remote attacker to execute commands on the device.

The TP-Link Archer C5400X is a premium tri-band gaming router designed to deliver robust performance and advanced features for gaming and other demanding applications. Based on the number of user reviews of the product in online stores, it seems to be a popular choice among gamers.

Arbitrary execution of commands on routers can lead to router hijacking, data interception, modification of DNS settings, and potentially breach of internal networks.

Vulnerability Details

The flaw on the TP-Link Archer C5400X is identified as CVE-2024-5035 (CVSS v4 score: 10.0, “critical”) and was identified by OneKey analysts using binary static analysis.

Researchers discovered that the “rftest” binary exposes a network service vulnerable to command injection and buffer overflows on TCP ports 8888, 8889, and 8890.

The “rftest” service runs a network listener on these ports to perform wireless interface self-assessment and associated tasks.

An attacker using shell metacharacters can send specially crafted messages to these ports, potentially executing arbitrary command execution with elevated privileges.

Shell metacharacters are special characters such as semicolons, ampersands, and pipes that are used for better control of functions on command line shells. However, they can also be abused for command execution when user input is not properly sanitized to prevent unauthorized actions.

Fix available

As the mentioned ports are open and actively used by the “rftest” service on the router’s default configuration, they affect all users of the device using vulnerable firmware versions, up to 1.1.1.6.

OneKey analysts reported their findings to TP-Link’s PSIRT on February 16, 2024, while the vendor had a beta patch ready on April 10, 2024.

Finally, the security update arrived last week on May 24, 2024, with the release of Archer C5400X(EU)_V1_1.1.7 Build 20240510, which effectively fixes CVE-2024-5035.

The implemented fix consisted of removing all commands containing shell metacharacters, so that these are filtered in all incoming messages.

Users are recommended to download the firmware update from the official TP-Link download portal or use their router’s admin panel to perform the update.